AUSTRALIAN PRIVACY CHARTER COUNCIL
Submission to the Commonwealth Attorney-General
Re: Proposed National Privacy Legislation
'Further details', as released in December 1999
January 2000

Convenor

Australian Privacy Charter Council

Version of January 2000

© Australian Privacy Charter Council, 2000

This document is at http://www.privacy.org.au/apcc/Submns/AG0001.html


Introduction

The Charter Council had eagerly anticipated the release of further details of the proposed legislation. Unfortunately we are sadly disappointed by the document released in December. The government appears to have taken little if any notice of the criticisms we and other privacy and consumer groups made in response to the September Information Paper (other than perhaps on the issue of enforceability of Codes). On the other hand, there have been several significant changes that seriously undermine the scope and effectiveness of the proposed regime.

The government's proposals now amount only to a set of partial and imperfect 'safeguards' as to how personal information can be used. The proposed regime has lost most of its other critical function, which is to give individuals more control over when and if personal information can be used. In the context of growing business convergence, e-commerce and so-called customer relationship management (often a code term for cross-selling), it is this control function which will increasingly be demanded by consumers.

Our detailed comments and criticisms are given below. Our conclusion is that we are unable to support the draft legislation in its current form. If enacted, it would provide an entirely false sense of re-assurance to the Australian public. It would also, in our view, fail to meet the standard of adequacy required by European Union member states for transfer of personal data to other jurisdictions under Articles 25 & 26 of the 1995 Data Protection Directive (95/46/EC). As a result of these weaknesses, it would fail to give consumers and business alike the confidence to use and invest in electronic commerce and service delivery, which we understood to be one of the government's main objectives.

The good work done over the last two years by participants in the Privacy Commissioner's consultation process, and more recently in the government's consultations, will have been largely wasted if the legislation proceeds in the form suggested in the December document. Unless significant changes are made, we will have no alternative but to campaign not only for amendments in the Senate but also for the States to set higher standards, even if this means a patchwork of different rules which we would have preferred to avoid.

The Charter Council urges you to reconsider the main weaknesses that are identified below. The required changes, most of which would not be opposed by business interests, could result in legislation which we could all support.


Comments on key features

Employee record exemption

We remain totally mystified as to the logic of the proposed exemption for employee records - the government has produced no evidence or details of the protection that it claims is or will be provided under Workplace Relations legislation. As we have repeatedly stated, the handling of employment records is one of the areas where individuals are most in need of the safeguards provided by accepted privacy principles - given the serious consequences that can flow from inappropriate practices.

However effective the legislation is made in relation to other types of personal information, we will only have 'half a law' if employment records remain exempted.


Media exemption

Again, while we acknowledge the need for exemptions from some of the principles for the news media, the proposed media exemption is far too broad.

Firstly, it is a serious mistake to try to define the exemption via a definition of journalism that rightly includes reporting etc of 'information'. This correctly characterises the profession of journalism broadly, but results in the exemption applying to virtually anything that any publisher does. The important issues of freedom of speech and the public interest role of the media are confined to news and current affairs - there is no justification for the exemption extending to so-called 'infotainment' or other forms of publication and broadcasting.

Another danger in the current approach is that any organisation could seek to legitimate a breach of the collection or use and disclosure principles simply by publishing the information, thereby compounding the breach.

While a suitable definition may be difficult to agree, it is necessary if some of the most scurrilous and intrusive privacy invasive practices 'hiding' behind the media exemption are to be avoided.

One possible partial solution would be to introduce a public interest test whereby news and current affairs providers would have to demonstrate a genuine public interest in the practice concerned in order to take advantage of the exemption.


Small business exemption

The proposed operation of this exemption is somewhat unclear. "Small business" is defined to exclude organisations holding sensitive data, which seems obtuse, as some small businesses (as the term is normally used) will legitimately hold sensitive data. The exemption then also requires that the small business not "transfer personal information ... to anyone else for a benefit, service or advantage." This would seem to ensure that only innocuous activities are exempt, although it should be recognised that the effect will be (rightly) to keep many small businesses under the coverage of the law.

The introduction of the term 'transfer' in this provision (with a different meaning from its use in the transborder data flow principle) is potentially confusing. It may be helpful to clarify that the exemption would not be lost simply as a result of a small business 'disclosing' personal information incidentally as a result of a legitimate activity - eg: to contractors or agents.


Use by related organisations

The National Privacy Principles already had a serious weakness in the wide definition of 'organisation'. This has now been compounded and magnified by the inclusion of a provision (Clause 22) that expressly allows collection and disclosure between organisations that are 'related' as defined under the Corporations Law.

There is no justification for this broad exemption from the application of the collection and use & disclosure principles to transfers of information between organisations simply on the basis of an arbitrary company law association. The structure of corporate groups is usually quite opaque to consumers and often bears no relation to functions, activities or lines of business.

The basis of the use and disclosure principle is to ensure that only those uses and disclosures that are within the reasonable expectation of individuals are permitted without consent (unless they meet one of the other defined exceptions). To override this presumption in favour of corporate groups being able to exchange data at will would fatally undermine the principle.

The use and disclosure principle (Principle 2) should apply unaltered to transfers between different legal entities. If owners choose to take advantage of complex corporate structures for other reasons, they should not gain the incidental benefit of being able to ignore individuals' legitimate and reasonable expectations about privacy.

To give a practical example, many people are concerned about the use of personal information for the purposes of marketing of goods or services that are unrelated to an earlier transaction during which their details were originally captured. The effect of this provision (Clause 22) is that many such marketing uses will not even have to pass the (already inadequate) tests included in Principle 2.

The provisions in clauses 23 and 24 relating to transitions in partnerships seem adequate to deal with changes in ownership, but similar provisions should also apply to changes in ownership of corporations. We had assumed that the normal application of business law would apply to such transitions and that special provisions would not be necessary in the Privacy Act. But if such provisions are included, it should be made clear that successor 'owners' inherit the obligations about use and disclosure that applied to their predecessors, and that they would not be free to redefine the boundaries of use and disclosure without reference to the individuals concerned.


Health information

We do not disagree with the need for special attention to personal health information, but the proposals are too generous in relation to management and research uses without consent.

The interaction of the various provisions concerning sensitive and health information is quite complex and not easy to fully understand.

In the definitions, it should be expressly stated that health information includes information about an individual's genetic make-up - this is potentially one of the most sensitive pieces of information about someone, and the public will rightly demand that the most stringent privacy principles apply to genetic information.

The definition of health service includes activities "claimed" by the provider to be in the defined categories. If the only use of the definition was to apply more stringent standards the breadth of the this definition would not matter too much, but as the effect is in some cases to give access to more generous use and disclosure rules, extreme care needs to be taken to ensure that only recognised health professionals can take advantage of them.

The definition of immediate family member, which has special significance for health information, includes "a member of the individual's household". This seems too loose given the incidence of multiple occupation and shared housing. We note that it is a broader definition than that recommended by the Privacy Commissioner in his advice on health information, and we would support his more limited definition.

We remain concerned that the sensitive information principle (P10) applies only to collection. As we noted in our earlier submission, the more restrictive conditions of this principle should apply not only to collection but also to `secondary' use and disclosure of sensitive information collected initially for a bona fide purpose.


Note about `related purpose'

The government has accepted the Privacy Commissioner's advice to vary the wording of Principle 2.1(a) for sensitive (including health) information, which will be required to be `directly related' to the purpose of collection to take advantage of this exception. While we support the intention of this amendment, we are concerned that it might have the unintended effect of lessening the protection offered to all other personal information, which can be used under exception (a) if the purpose is merely `related'. Our concerns in this respect are heightened by the suggestion in the Privacy Commissioner's advice on health information that such uses as management and planning of health care may be regarded as `directly related'.

While this is intended to be the subject of further guidelines, we are disturbed by this interpretation. We would argue that many of the `administrative' uses of health information being discussed are not only not `directly related', they are not even `related'- at least closely enough to gain the benefit of exception (a). It is essential that the statutory regime retains the integrity of the fundamental `purpose limitation' principle (finalite in the European literature) and does not allow too many self-serving uses to be `authorised' by the necessary related purpose exception.

Fortunately, the other part of the test in exception (a) -- that the use be within the reasonable expectation of the individual -- should ensure that there is not too much `creep' towards excessively broad interpretations. But constant vigilance will be required to ensure that the natural tendency of data users to regard most intended uses as `related' is held in check.


Relationship of Codes to the default statutory regime

The document is unclear on the important issue of enforcement of codes, and ensuring consistency of interpretation. As we have argued in earlier submissions, it is essential that there be some formal link between an approved Code and the statutory enforcement mechanisms. Clause 28(3)(d) suggests that a Code adjudicator's decisions will have the same status as those of the Privacy Commissioner in the default scheme. If this means that adjudicators' determinations will be enforceable in the federal court (magistracy), then we welcome this as a significant improvement. It is however difficult to see how private sector Code adjudicators can be given the same powers as a statutory officer, and their effectiveness may therefore be hindered.

The document is also silent on a right of appeal against decisions of Code adjudicators. The ability to enforce a favourable determination in the federal court (magistracy) is of no value to a complainant whose complaint has not been upheld by a Code adjudicator.

Our other related concern was about consistency of interpretation. Very few privacy complaints can be expected to reach the federal court (magistracy) and this will not therefore be an effective way of ensuring consistency. It is essential in our view that the Privacy Commissioner be given some role in reviewing decisions of Code adjudicators - not necessarily an automatic right of appeal, but at least the ability (discretion) to intervene in significant cases, either as a result of a complainant's request or on his or her own initiative.

Even with the requirement in clause 28(3)(a) that a Code complaint handling scheme must meet prescribed standards (envisaged as the 1997 Consumer Affairs Benchmarks), we have no confidence, on the basis of self-regulation to date in various sectors, that Code adjudicators left entirely to their own devices will provide individuals with an impartial, fair and consistent judgements on privacy issues, particularly given the necessarily broad nature of the principles.

Ultimate authority to set the privacy standards expected of the private and public sectors alike should reside with one or more independent statutory officers - sectoral bodies appointed by and responsible to businesses in that sector run the constant risk of adopting convenient interpretations which favour industry practices over a robust defence of individuals' rights.

It remains unclear whether Codes approved by the Privacy Commissioner will be disallowable instruments. Given the Commissioners' ability to approve not only initial Codes, but also variations and to revoke Codes, which amount to the law for the relevant sector, the safeguard of potential disallowance is essential.


Other comments

Journalists' sources

It is not clear if the proposed protection for journalists from disclosing their sources applies only to investigations under the privacy law (by the Privacy Commissioner or a Code Adjudicator), or more generally?

It would also be unacceptable if the effect of this protection was to incidentally protect a source if they had breached the privacy principles in disclosing information to a journalist. We seek your re-assurance that this would not be the effect.


Retrospectivity

Clause 14 disapplies Principles 1,2,6,& &10 from information collected prior to commencement. While this is sensible for Principles 1 and 10, there is no reason why organisations should not be required to use best endeavours to comply with at least the spirit of Principles 2 and 6 in respect of information already held, accepting that it would be unreasonable to enforce the same standards as would apply to information collected subsequently. Experience overseas suggests that many organisations will in any case find it easier to apply the same regime to all data than to make an administrative distinction.


Additional Matters Not Addressed by the 'Further details' Paper

The December paper does not deal with some important issues covered in the September paper. For the record, we repeat below our comments on these `missing' issues.

Structure and timing

While a phased introduction is acceptable, there is no reason why the Privacy Commissioner could not be given the power to investigate complaints during Stage One, albeit without the power to find breaches of the principles or award remedies. A recommendatory ombudsman role during this stage would complement the educational and promotional roles, and would help to ensure that organisations took their responsibilities seriously as they prepared for full implementation. Without it, it will be difficult to generate public interest in the new rights.


Outsourcing

As we have already indicated in an earlier letter, it is unacceptable to delay the re-introduction, passage and implementation of the Privacy Amendment Bill 1998. Waiting until private sector contractors are covered by the proposed new legislation will leave a further gap of nearly two years in which personal information handled by contractors will lose the existing protection of the Privacy Act. With major data processing and other functions of government due to be contracted out within this period, the delay is inexcusable. Unless the government is prepared to freeze any further contracting out until the new privacy legislation is in place and operational, the 1998 Bill should be passed as soon as possible to ensure that Australians do not lose the limited privacy protection that they currently enjoy.

This would mean that some private sector businesses would have to operate under two somewhat different sets of principles, depending on whether they were carrying out work for a Commonwealth agency client or not. But this outcome is unavoidable - even if the 'outsourcing' amendments are not passed, contractors will be required by contract to apply the IPPs, as well as being independently liable under the private sector regime..

The longer term issue of harmonising private and public sector regimes is discussed further below.


Scope

The Council supports the government's apparent intention to take the opportunity of the new legislation to review the existing exemptions for certain government agencies and business enterprises imported from the FOI Act.


The National Principles

We have already previously indicated that we have some concerns about the Privacy Commissioner's National Principles, which represent the Commissioner's best efforts rather than a consensus between the parties involved in the consultations. Apart from the matter of Principle 10 already mentioned above, we have concerns about the following:


Navigation

Go to APCC's Home-Page.

Go to the contents-page for this segment.

Send an email to the APCC Convenor

Created: 3 August 2000

Last Amended: 3 August 2000


Sponsorship

APCC thanks its site-sponsor: